The
security "issue" is not so much about us adding security to WS-Context but more
a "security considerations" section that can discuss any special security
concerns in this spec and compatibility with other specs such as WS-Security.
That's how the other oasis ws-specs seem to be handling things. We should have
some proposed text published this week.
Cheers,
Martin.
I
don't believe so, but see below.
We
actually decided to ask the editors to work on the resolved issues, and for
members to raise any other issues on their minds as soon as possible. I raised
this point in writing on the list at the time (failed to formalize it into an
issue because I wasn't clear in my own mind). Now that "feedback" arrives in
the shape of an issue on security [what is the exact content of that by the
way: I can't see any text other than the summary in the Bugzilla record?], it
made be think that the "security through obscurity" approach of two refs
(which I think is a "Habsburg tail", an evolutionary vestige) is just not
right, and that it would be a very simple change to collapse two into
one.
The
other aspect (introducing "security") is obviously a much weightier
matter.
I'm
not greatly fussed about the two-to-one, but I think it would clean things up.
I think that in formal terms the issues list is not closed
until the document is approved, but I appreciate that a
new issue at this late stage might be seen as somewhat
anti-social, in which case I'm happy to let it ride.
Alastair
Alastair, I thought that we agreed in SF that
unless there are significant bugs, we had closed the issues list for
WS-Context for the 1.0 release? So, the idea of making context-service and
context-manager a single reference, although interesting to explore, should
be deferred to after the 1.0 release IMO.
Mark.
----- Original Message -----
Sent: Tuesday, September 07, 2004
4:28 PM
Subject: RE: [ws-caf] outstanding
issues for WS-Context
I believe that this issue must be related to my "informal issue" of
access control. In other words, if we "secure" then we authorize (and
there are various kinds of reads and writes); to authorize we have to
authenticate -- which was where my thinking fell down. Authentication by
interface reference (I'll give you references only for the operations I
wish you to use) only works if the references are artificially different,
and after a while it won't be hard to work around that type of
"protection".
I believe that the introduction of authentication/authorization is
a good idea (I'm not the right person to propose how to do it in a
WS-friendly way), and I further think that we should remove the double
reference we currently have, so that the context service and the context
manager are a single service reference.
Alastair
The only two issues remaining for
WS-Context are:
and on conformance.
Expect a follow up in the next few days,
hopefully prior enough to the next telecon. that we can discuss them and
anything else related to 0.6.
Mark.
P.S. Now for WS-CF :-)
---- Mark Little, Chief Architect,
Transactions, Arjuna Technologies Ltd. www.arjuna.com
|